Re: Why s port 111 still open?

To: debian-user@lists.debian.org
Subject: Re: Why s port 111 still open?
From: shawn wilson <ag4ve.us@gmail.com>
Date: Mon, 29 Aug 2011 16:58:48 -0400
Message-id: <[🔎] CAH_OBieD_SzQ7hZwJWQ4dEm9xfFixAKcSKk8GHX-RGGBZsn76g@mail.gmail.com>
In-reply-to: <[🔎] 20110829201839.GR3926@wasteland.homelinux.net>
References: <[🔎] 201108291038.39979.lisi.reisz@gmail.com> <[🔎] CAOdo=Sy-CMkh2yRLJSo_zQUf===hpsYCMFXqO8hK14sqz92bCA@mail.gmail.com> <[🔎] CAH_OBidMqE5U8_uJZpzcjhhuFrC68MZmLmnLpfj36KSh=NJnmA@mail.gmail.com> <[🔎] 201108291702.36897.lisi.reisz@gmail.com> <[🔎] 20110829201839.GR3926@wasteland.homelinux.net>

On Mon, Aug 29, 2011 at 16:18, Jochen Spieker <ml@well-adjusted.de> wrote:
> Lisi:
>>
>> So the fact that nmap says that 111 is open for rpcbind does not mean that it
>> is open for rpcbind??
>
> Exactly. Nmap can only guess what program is listening on the other end.
> An easy test:
>
> (0) (root@jigsaw):~# nc -l -p 80 &
> [1] 17913
>
> (1) (root@jigsaw):~# nmap localhost | grep 80
> 80/tcp    open  http
>

well, you can ask nmap to let you know if it doesn't know (note, i
only scanned the port i wanted because i don't want to die waiting for
it)

root@shawn-desktop:~# nmap -sV --version-all -p8080 localhost

Starting Nmap 5.00 ( http://nmap.org ) at 2011-08-29 17:05 EDT
Got nsock WRITE error #104 (Connection reset by peer)
Interesting ports on localhost (127.0.0.1):
PORT     STATE SERVICE     VERSION
8080/tcp open  http-proxy?

Service detection performed. Please report any incorrect results at
http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.58 seconds
root@shawn-desktop:~# nmap -sV --version-all -p22 localhost

Starting Nmap 5.00 ( http://nmap.org ) at 2011-08-29 17:05 EDT
Interesting ports on localhost (127.0.0.1):
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 5.3p1 Debian 3ubuntu6 (protocol 2.0)
Service Info: OS: Linux

Service detection performed. Please report any incorrect results at
http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 0.70 seconds

>
> Anyway, using nmap on localhost doesn't make much sense. Use netstat or
> lsof instead.
>

well, it's a nice check of what everyone else sees - ie, apache and
mysql and the likes can bind to an ip. mysql, by default binds to
localhost which can be missed by just looking at lsof.

just so that i don't get corrected, i know you can see the difference with lsof:
apache2 28946     root    4u  IPv4 14498250      0t0  TCP
shawn-desktop.local:www (LISTEN)
apache2 28946     root    6u  IPv4 14600633      0t0  TCP localhost:www (LISTEN)

but, if a service you're looking for just doesn't show up when you
nmap, you know you won't connect to it (you'll get different results
with a port scan to localhost vs your external ip).

Reply to:

References:
- Why s port 111 still open?
  - From: Lisi <lisi.reisz@gmail.com>
- Re: Why s port 111 still open?
  - From: Tom H <tomh0665@gmail.com>
- Re: Why s port 111 still open?
  - From: shawn wilson <ag4ve.us@gmail.com>
- Re: Why s port 111 still open?
  - From: Lisi <lisi.reisz@gmail.com>
- Re: Why s port 111 still open?
  - From: Jochen Spieker <ml@well-adjusted.de>

Prev by Date: Re: Why s port 111 still open?
Next by Date: Re: Why s port 111 still open?
Previous by thread: Re: Why s port 111 still open?
Next by thread: Re: Why s port 111 still open?
Index(es):
- Date
- Thread